Update from stable branch.

#include <stdio.h>

#include <stdlib.h>

#include <assert.h>

#include "cryptlib.h"

#include <openssl/conf.h>

#include <openssl/asn1.h>

/*

 * Extract the AFI from an IPAddressFamily.

 */

unsigned v3_addr_get_afi(const IPAddressFamily *f)

unsigned int v3_addr_get_afi(const IPAddressFamily *f)

{

  return ((f != NULL &&

	   f->addressFamily != NULL &&

			const int length,

			const unsigned char fill)

{

  assert(bs->length >= 0 && bs->length <= length);

  OPENSSL_assert(bs->length >= 0 && bs->length <= length);

  if (bs->length > 0) {

    memcpy(addr, bs->data, bs->length);

    if ((bs->flags & 7) != 0) {

  int i;

  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {

    IPAddressFamily *f = sk_IPAddressFamily_value(addr, i);

    const unsigned afi = v3_addr_get_afi(f);

    const unsigned int afi = v3_addr_get_afi(f);

    switch (afi) {

    case IANA_AFI_IPV4:

      BIO_printf(out, "%*sIPv4", indent, "");

  if ((aor = IPAddressOrRange_new()) == NULL)

    return 0;

  aor->type = IPAddressOrRange_addressRange;

  assert(aor->u.addressRange == NULL);

  OPENSSL_assert(aor->u.addressRange == NULL);

  if ((aor->u.addressRange = IPAddressRange_new()) == NULL)

    goto err;

  if (aor->u.addressRange->min == NULL &&

  for (i = 0; i < sk_IPAddressFamily_num(addr); i++) {

    f = sk_IPAddressFamily_value(addr, i);

    assert(f->addressFamily->data != NULL);

    OPENSSL_assert(f->addressFamily->data != NULL);

    if (f->addressFamily->length == keylen &&

	!memcmp(f->addressFamily->data, key, keylen))

      return f;

			    unsigned char *max,

			    int length)

{

  assert(aor != NULL && min != NULL && max != NULL);

  OPENSSL_assert(aor != NULL && min != NULL && max != NULL);

  switch (aor->type) {

  case IPAddressOrRange_addressPrefix:

    addr_expand(min, aor->u.addressPrefix, length, 0x00);

  }

  sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);

  sk_IPAddressFamily_sort(addr);

  assert(v3_addr_is_canonical(addr));

  OPENSSL_assert(v3_addr_is_canonical(addr));

  return 1;

}

  for (i = 0; i < sk_IPAddressFamily_num(a); i++) {

    IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);

    int j = sk_IPAddressFamily_find(b, fa);

    IPAddressFamily *fb = sk_IPAddressFamily_value(b, j);

    IPAddressFamily *fb;

    fb = sk_IPAddressFamily_value(b, j);

    if (fb == NULL)

       return 0;

    if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, 

		       fa->ipAddressChoice->u.addressesOrRanges,

		       length_from_afi(v3_addr_get_afi(fb))))

  int i, j, ret = 1;

  X509 *x;

  assert(chain != NULL && sk_X509_num(chain) > 0);

  assert(ctx != NULL || ext != NULL);

  assert(ctx == NULL || ctx->verify_cb != NULL);

  OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);

  OPENSSL_assert(ctx != NULL || ext != NULL);

  OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);

  /*

   * Figure out where to start.  If we don't have an extension to

  } else {

    i = 0;

    x = sk_X509_value(chain, i);

    assert(x != NULL);

    OPENSSL_assert(x != NULL);

    if ((ext = x->rfc3779_addr) == NULL)

      goto done;

  }

   */

  for (i++; i < sk_X509_num(chain); i++) {

    x = sk_X509_value(chain, i);

    assert(x != NULL);

    OPENSSL_assert(x != NULL);

    if (!v3_addr_is_canonical(x->rfc3779_addr))

      validation_err(X509_V_ERR_INVALID_EXTENSION);

    if (x->rfc3779_addr == NULL) {